eBay dumps users into insecure authentication mechanism

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service.

eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Securityreports that a reader received an email from eBay telling customers “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

On the face of it, that's not the worst idea in the world: it's easy to forget to bring a hard token with you, but who leaves the house without their phone? Hard tokens also cost money, need occasional battery replacements, can break and generate other administrivial chores.

But there's one big problem with eBay's plan, namely that two-factor authentication (2FA) over SMS messages has been shown to be insecure. So insecure that the United States National Institute for Standards and Technology (NIST) last year recommended it be abandoned as an authentication technique.

NIST's beef with 2FA-over-SMS is that TXT messages can be intercepted, making it possible for bad actors to sniff incoming one-time-passwords.

There's a moderately-happy ending to this story, because eBay told Krebs it's not giving up on other 2FA mechanisms and will shortly have more to say on the topic. ®